Let's say we're trying to keep blog and forum spammers out
of our site--we're not trying to protect fort knox.
1) Step one is a one-time-only step.
We create six different css files that define the
same six color names differently, but each such
css file assigns red to one and only
one of those same six color names, and then store
the six somewhere in the document_root.
2) We make a dynamically generated GET page that mods a random number
to
between 1 and 6 and sets that number as session variable.
That number will tell us in a later POST which of the six
css files to use when we generate a dynamic POST page.
We also randomly create 6 digits between 1 - 256 and concatenate
them
into a comma delimeted string. We set that string
as a session variable.
3) In the post we generate a page that specifies one
of the six css files in its header, according the value
of first session variable. Because we have that session
variable, and because we know which of the six different
css schemes we are now using, we know which css attribute
in the current scheme means red. We don't care about the other
colors.
4) Now we generate 256 random digits (between 1 - 256) into an array.
We loop through the array and concatenate a <b class="xx">$digit</b>
onto a string. Foreachsuch <btag we randomly choose one of
the css colors known not to red, except for the N array index digits
we get from the exploded comma-delimeted session var #2.
We set those <b class="yy"tags to the color known (only to us)
to be red.
5) Now we echo the string of <btags. Six out of the
256 randomly generated digits will be red, all the others
some undetermined color. But we know which ones are
red.
6) Now we do another post, asking the user to tell us which
of the 256 digits are red.
7) if the post variable matches the session stuff, we proceed,
else we tell the client computer to chop the fingers off
the spammer's hands and smoke the seat of his pants.
12  10198 
pittendrigh wrote:
Let's say we're trying to keep blog and forum spammers out
of our site--we're not trying to protect fort knox.
....ok, the spammer is not sitting at a keyboard, it's a bot.
That's why we need a poor man's captcha.
pittendrigh wrote:
Now we echo the string of <btags. Six out of the 256 randomly generated
digits will be red, all the others some undetermined color. But we know
which ones are red.
Not if the user is colorblind. Perhaps it would be possible to make some of
the numbers bolded, italicized, or sized differently from the others.
Basing anything on color, though, is a big accessibility issue that is
easily avoided in this case.
--
Benjamin D. Esham bd*****@gmail.com | AIM: bdesham128 | Jabber: same as e-mail
"...English is about as pure as a cribhouse whore. We don't just
borrow words; on occasion, English has pursued other languages
down alleyways to beat them unconscious and rifle their pockets
for new vocabulary." — James Nicoll
pittendrigh wrote:
Let's say we're trying to keep blog and forum spammers out
of our site--we're not trying to protect fort knox.
1) Step one is a one-time-only step.
We create six different css files that define the
same six color names differently, but each such
css file assigns red to one and only
one of those same six color names, and then store
the six somewhere in the document_root.
2) We make a dynamically generated GET page that mods a random number
to
between 1 and 6 and sets that number as session variable.
That number will tell us in a later POST which of the six
css files to use when we generate a dynamic POST page.
We also randomly create 6 digits between 1 - 256 and concatenate
them
into a comma delimeted string. We set that string
as a session variable.
3) In the post we generate a page that specifies one
of the six css files in its header, according the value
of first session variable. Because we have that session
variable, and because we know which of the six different
css schemes we are now using, we know which css attribute
in the current scheme means red. We don't care about the other
colors.
4) Now we generate 256 random digits (between 1 - 256) into an array.
We loop through the array and concatenate a <b class="xx">$digit</b>
onto a string. Foreachsuch <btag we randomly choose one of
the css colors known not to red, except for the N array index digits
we get from the exploded comma-delimeted session var #2.
We set those <b class="yy"tags to the color known (only to us)
to be red.
5) Now we echo the string of <btags. Six out of the
256 randomly generated digits will be red, all the others
some undetermined color. But we know which ones are
red.
6) Now we do another post, asking the user to tell us which
of the 256 digits are red.
7) if the post variable matches the session stuff, we proceed,
else we tell the client computer to chop the fingers off
the spammer's hands and smoke the seat of his pants.
It would work (other than the color-blindness Benjamin mentioned).
But why go to all that trouble when there are several captcha routines
out there for your use?
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
But why go to all that trouble when there are several captcha routines
out there for your use?
Tell me tell me.
I spent about an hour surfing Google for cut-and-paste php captcha
stuff.
But nothing worked.
One died on my linux box because I didn't have truetype fonts.
Another died when I hadn't paid for a "registration key"
That pissed me off and I decided to try and roll my own.
If I knew the location of a useable captcha package I'd use it.
pittendrigh wrote:
>>But why go to all that trouble when there are several captcha routines
out there for your use?
Tell me tell me.
I spent about an hour surfing Google for cut-and-paste php captcha
stuff.
But nothing worked.
One died on my linux box because I didn't have truetype fonts.
Another died when I hadn't paid for a "registration key"
That pissed me off and I decided to try and roll my own.
If I knew the location of a useable captcha package I'd use it.
There are any number of them around. You might try www.hotscripts.com
for a start. Also www.freshmeat.com, www.phpclasses.org...
Just searching google for
captcha php
came up with most of the above (except hotscripts) and more on the first
page. Most with usable code. But you generally have to have the gd
libs installed and running properly for any captcha to work.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
"pittendrigh" <Sa***************@gmail.comwrote in message
news:11**********************@k70g2000cwa.googlegr oups.com...
Let's say we're trying to keep blog and forum spammers out
of our site--we're not trying to protect fort knox.
1) Step one is a one-time-only step.
We create six different css files that define the
same six color names differently, but each such
css file assigns red to one and only
one of those same six color names, and then store
the six somewhere in the document_root.
2) We make a dynamically generated GET page that mods a random number
to
between 1 and 6 and sets that number as session variable.
That number will tell us in a later POST which of the six
css files to use when we generate a dynamic POST page.
We also randomly create 6 digits between 1 - 256 and concatenate
them
into a comma delimeted string. We set that string
as a session variable.
3) In the post we generate a page that specifies one
of the six css files in its header, according the value
of first session variable. Because we have that session
variable, and because we know which of the six different
css schemes we are now using, we know which css attribute
in the current scheme means red. We don't care about the other
colors.
4) Now we generate 256 random digits (between 1 - 256) into an array.
We loop through the array and concatenate a <b class="xx">$digit</b>
onto a string. Foreachsuch <btag we randomly choose one of
the css colors known not to red, except for the N array index digits
we get from the exploded comma-delimeted session var #2.
We set those <b class="yy"tags to the color known (only to us)
to be red.
5) Now we echo the string of <btags. Six out of the
256 randomly generated digits will be red, all the others
some undetermined color. But we know which ones are
red.
6) Now we do another post, asking the user to tell us which
of the 256 digits are red.
7) if the post variable matches the session stuff, we proceed,
else we tell the client computer to chop the fingers off
the spammer's hands and smoke the seat of his pants.
Instead of coloring certain numbers to random colors, why not just make the
invisible using visibility:hidden; display:none; -works for colorblind
people as well. That leaves us just the blind. You should set the letters
inaudible as well for screenreader using volume:silent; speak:none;
So your hiding css mask would be:
..xx {
visibility:hidden;
display:none;
volume:silent;
speak:none;
}
--
"Ohjelmoija on organismi joka muuttaa kofeiinia koodiksi" - lpk http://outolempi.net/ahdistus/ - Satunnaisesti päivittyvä nettisarjis sp**@outolempi.net || Gedoon-S @ IRCnet || rot13(xv***@bhgbyrzcv.arg)
Benjamin Esham wrote:
Not if the user is colorblind. Perhaps it would be possible to make some of
the numbers bolded, italicized, or sized differently from the others.
Basing anything on color, though, is a big accessibility issue that is
easily avoided in this case.
Bolded fonts would work for the color blind.
The blind would be out of luck. But this is a boat building site,
and (unfortunately) the blind can't build boats anyway.
My idea would be too easy to crack for widespread use.
But if I put it on my boat building forum only, no one would take
the time to crack it, just to post a few porno links on my site.
So I think I'll do it, instead of searching for a well-known captcha
package. Should take no more than a few hours to code.
Thanks for the feedback.
I've always thought that the whole use of graphics images could be
avoided completely, and even keep text-readers for the blind happy, with
something like this...
Have a database of common questions and answers, and even allow
registered users to submit more questions, so it's a never-ending battle
for the spammer to try to predict ALL the questions, as loyal site
visitors contribute to the battle against spam.
Q: What type of plant is commonly found in a forest?
A: tree
Q: What is the sum of two plus three?
A: five
Q: What is the color of the sky?
A: blue
Q: What type of animal loves to chase cats and cars?
A: dog
You get the idea. Though I like the CSS route too. Very creative.
-GC
In article <11**********************@k70g2000cwa.googlegroups .com>, Sa***************@gmail.com says...
Let's say we're trying to keep blog and forum spammers out
of our site--we're not trying to protect fort knox.
1) Step one is a one-time-only step.
We create six different css files that define the
same six color names differently, but each such
css file assigns red to one and only
one of those same six color names, and then store
the six somewhere in the document_root.
2) We make a dynamically generated GET page that mods a random number
to
between 1 and 6 and sets that number as session variable.
That number will tell us in a later POST which of the six
css files to use when we generate a dynamic POST page.
We also randomly create 6 digits between 1 - 256 and concatenate
them
into a comma delimeted string. We set that string
as a session variable.
3) In the post we generate a page that specifies one
of the six css files in its header, according the value
of first session variable. Because we have that session
variable, and because we know which of the six different
css schemes we are now using, we know which css attribute
in the current scheme means red. We don't care about the other
colors.
4) Now we generate 256 random digits (between 1 - 256) into an array.
We loop through the array and concatenate a <b class="xx">$digit</b>
onto a string. Foreachsuch <btag we randomly choose one of
the css colors known not to red, except for the N array index digits
we get from the exploded comma-delimeted session var #2.
We set those <b class="yy"tags to the color known (only to us)
to be red.
5) Now we echo the string of <btags. Six out of the
256 randomly generated digits will be red, all the others
some undetermined color. But we know which ones are
red.
6) Now we do another post, asking the user to tell us which
of the 256 digits are red.
7) if the post variable matches the session stuff, we proceed,
else we tell the client computer to chop the fingers off
the spammer's hands and smoke the seat of his pants.
>Let's say we're trying to keep blog and forum spammers out
>of our site--we're not trying to protect fort knox.
1) Step one is a one-time-only step.
We create six different css files that define the
same six color names differently, but each such
css file assigns red to one and only
one of those same six color names, and then store
the six somewhere in the document_root.
2) We make a dynamically generated GET page that mods a random number
to
between 1 and 6 and sets that number as session variable.
That number will tell us in a later POST which of the six
css files to use when we generate a dynamic POST page.
We also randomly create 6 digits between 1 - 256 and concatenate
them
into a comma delimeted string. We set that string
as a session variable.
3) In the post we generate a page that specifies one
of the six css files in its header, according the value
of first session variable. Because we have that session
variable, and because we know which of the six different
css schemes we are now using, we know which css attribute
in the current scheme means red. We don't care about the other
colors.
4) Now we generate 256 random digits (between 1 - 256) into an array.
We loop through the array and concatenate a <b class="xx">$digit</b>
onto a string. Foreachsuch <btag we randomly choose one of
the css colors known not to red, except for the N array index digits
As I understand it, you're going to have a bunch of html like:
<b class="urk">5</b>
<b class="bog">6</b>
<b class="kub">3</b>
....
Exploit (although it does require some bot programming):
Spammer counts number of times urk, bog, kub, nom, val, and tov occur.
Whichever one appears 6 times, is the correct one. Use the corresponding
digits. If there's more than one, guess.
Actually, even a 1-in-6 guess on the colors with no counting isn't
bad for a spammer who's hammering your web server unless you've got
other traps like IP banning after so many bad tries.
Also, remember that the HTML tells the bot which css file is the
correct one, and it could fetch it and parse it.
The blind can't build boats - I have to disagree my friend - http://66.102.9.104/search?q=cache:h...&ct=clnk&cd=16
Joe
"pittendrigh" <Sa***************@gmail.comwrote in message
news:11**********************@k70g2000cwa.googlegr oups.com...
Let's say we're trying to keep blog and forum spammers out
of our site--we're not trying to protect fort knox.
1) Step one is a one-time-only step.
We create six different css files that define the
same six color names differently, but each such
css file assigns red to one and only
one of those same six color names, and then store
the six somewhere in the document_root.
2) We make a dynamically generated GET page that mods a random number
to
between 1 and 6 and sets that number as session variable.
That number will tell us in a later POST which of the six
css files to use when we generate a dynamic POST page.
We also randomly create 6 digits between 1 - 256 and concatenate
them
into a comma delimeted string. We set that string
as a session variable.
3) In the post we generate a page that specifies one
of the six css files in its header, according the value
of first session variable. Because we have that session
variable, and because we know which of the six different
css schemes we are now using, we know which css attribute
in the current scheme means red. We don't care about the other
colors.
4) Now we generate 256 random digits (between 1 - 256) into an array.
We loop through the array and concatenate a <b class="xx">$digit</b>
onto a string. Foreachsuch <btag we randomly choose one of
the css colors known not to red, except for the N array index digits
we get from the exploded comma-delimeted session var #2.
We set those <b class="yy"tags to the color known (only to us)
to be red.
5) Now we echo the string of <btags. Six out of the
256 randomly generated digits will be red, all the others
some undetermined color. But we know which ones are
red.
6) Now we do another post, asking the user to tell us which
of the 256 digits are red.
7) if the post variable matches the session stuff, we proceed,
else we tell the client computer to chop the fingers off
the spammer's hands and smoke the seat of his pants.
I have made a CAPTCHA that requires no GD library, TrueType fonts or
database.
see an example of it by visiting: http://www.ThePhpPro.com/products/captcha/
- Tim
Jerry Stuckle wrote:
There are any number of them around. You might try www.hotscripts.com
for a start. Also www.freshmeat.com, www.phpclasses.org...
Just searching google for
captcha php
came up with most of the above (except hotscripts) and more on the first
page. Most with usable code. But you generally have to have the gd
libs installed and running properly for any captcha to work.
Klaus Brune wrote:
I've always thought that the whole use of graphics images could be
avoided completely, and even keep text-readers for the blind happy, with
something like this...
<snip>
I've written an accessible captcha system, which asks random multiple
choice questions,
it's available under the gpl with all php source code http://system-x.info/?pageid=18&menutree=47 This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Krishna Kumar |
last post by:
Hai all,
I am doing a project in .net and in that project I have a problem in
capturing text from an image. i.e images like CAPTCHA images . which has
inbuilt text with in the image.So,...
|
by: Francois Bonzon |
last post by:
After a Google search, I see that quite a few CAPTCHA implementations
in PHP are available. I'd like one that's not (easily) OCR-able, or
otherwise crackable. Open source or commercial is not...
|
by: kyle.reddoch |
last post by:
I am having trouble setting up my formmail to work with the
captcha.php script i have. Any help would be greatly appreciated.
Thanks!
|
by: xeiter |
last post by:
Hi, I have a captcha script on my website located at /captcha.php. What it does it generates an image with the code, displays the image (gd2) and saves the value of the code in session.
How do I...
|
by: Twayne |
last post by:
Hi,
Learning PHP code; playing with various methods of generating captcha
codes:
In the code below, how would I change the size of the text displayed in
the captcha code?
Is it even possible...
| | |
by: Jeigh |
last post by:
My host has been 'upgrading' lately and its caused me a whole mess of problems. The last of which being that my CAPTCHA form no longer works. I remember to get the CAPTCHA working it took me weeks to...
|
by: =?Utf-8?B?bWF0dCBw?= |
last post by:
Steve Orr has a neat Captcha control:
http://steveorr.net/articles/CAPTCHASP.aspx
but aside from "dragging the control onto your toolbox.." Does anyone have
any installation instructions: e.g....
|
by: Joel Fireman |
last post by:
I'm looking at the results of searching for "captcha" and "php" -
there's a couple hundred of hits that seem to be uniquish...
Before I start flogging them, I thought I'd ask the good folks here...
|
by: jeddiki |
last post by:
Hi,
I have a captcha script which should pick up a background image and add some random letters to it and re-display
This is the part of the form that the captcha image is part of:
<span...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated ...
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence...
| |
